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2014: Good Old Days of Compliance 


Probability of 
Compliance Drift 
Manual Audit 
Sampling Methods Fy Six Months Audit Schedule = 
ee Qi Probability that system configurations have _ Q2 
deviated from expectations or documentation 

Software Assisted 
Automated Audits 


Probability of 
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2019: Security is Continuous and 
Unified 


To reduce the ‘attack 


Intellig 
surface’ Continuous 
& Unifie 


To reduce breaches due to 
misconfigurations, lack of 
monitoring 


Configuration 
& Monitori 


Question remains: 
Is Compliance and Risk 
really continuous? 
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Compliance and Risk are 
Not Connected with Security 


Section of 
HIPAA Security HIPAA Security Rule Standards 


Implementation Specifications 


Password Management (A): Procedures for creating, 
changing, and safeguarding passwords, 


CIP-007-5 Table RS — System Access Control 


164.308(a)(5)(G)(D) 


PCI DSS Requirements 
8.2.3 Passwords/passphrases must 


Requirements 


5.5 | High Impact BES Cyber Systems and | For passwordionly authentication for 


their associated: interactive user access, either technically 
1. EACMS; or procedurally enforce the following 
2. PACS; and password parameters: 
3. PCA 5.5.1. Password length that is, at least, 


the lesser of eight characters or 
the maximum length supported by 


Inventory Your og 


alphabetic, numeric, non- 
alphanumeric) or the maximum 


TOTER NT Arne A) CONTROLS complexity supported by the Cyber 


T CSC 16-3 | Ensure that systems automatically create a report that 


Inventory and 
includes a list oflocked-out accounts, disabled accounts, ds PC 
SR end ecu ei et tue Restrict 
expire. This list should be sentto the associated system 
administrator in a secure fashion. S oftw a r e 
Secure Pc 
Configurations 
Continuous VM 


Medium Impact BES Cyber Systems the Cyber Asset; and 
and their associated: 5.5.2. Minimum password complexity 
Pe (hal Ga messer ers ste ms 
2. PACS; and different types of characters (e.g., 
3. PCA uppercase alphabetic, lowercase SYN VM PC 
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Semi-automated Way 
for Connecting 


Time to value 
Time to see roll up the operational data 
Security data of varied nature 

FIM, Patch, Malware 

Scoping and Tracking 'In-Scope' 


Assets 


Application complexity with connectors 
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Evolution 
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Continuous Compliance & Risk From 
Continuous Security 


Qualys Unified Compliance 
& Risk 


Map security to compliance 


+ + Qualys Platform for unified 
and continuous security 


Integrated Security Platform 


HOME DASHBOARD ASSESSMENT REPORTS CONFIGURATION 


bo 
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Assessment 


zvý 


Mandate.name like %Fedramp Mod% Last 30 days 


Continuous Compl 
from Continuous | 38 aK Be 
Secu rity m m e 


MANDATE ID OBJECTIVE OBJECTS STATUS PASS FAIL ASGNT.STATUS CRITICALITY 
O AS Authenticator management 1992 Fail 1036 || 959 - 
C] 1A-5 (1) Password -Based Authentication 1308 (Assets) Fall 1011 297 - 
[I Datacenter Assets 1134 (Assets) Fail 907 227 | - NA 
cio CONTROL NAME OBJECTS POSTURE EVALUATION CRITICALITY 
[] 1071 Status of minimum password strength 1058 (Assets) Fail 338 220 Unassigned 
Q U a lys | J n ¡fi e d C p | j a n C e 10459 Status of required special characters 824 (Assets) Fail 634 190 Unassigned METE 
| SaaS Objects 1(Connector) Pass 1 0 - NA 
, 
| | la p S eve ry a p p S O U p U CID CONTROL NAME OBJECTS POSTURE EVALUATION CRITICALITY 
3 ` 60032 GSUITE Admin Strong Password Policy... 1 (Connectors) Pass 1 0 Resolved 
to C O | | ] p | la n C e re G U | re | | ] e n ts [] 61011 Microsoft365 AD Password Policy Enforc... 1 (Connectors) Pass 1 o Resolved 
O Mobile Devices 170 (Assets) Fail 100 70 > NA 
cio CONTROL NAME OBJECTS POSTURE EVALUATION CRITICALITY 
89 Mobile phone passcode length 170 (Assets) Fall 100 70 In Progress 
Public Cloud Services 3 (Connectors) Pass 3 a ] E NA 
cio CONTROL NAME OBJECTS POSTURE EVALUATION CRITICALITY 
6 Ensure that AWS IAM password policy is... 3 (Connectors) Pass 3 0 NA 
m; Ensure IAM password policy requires at.. 3 (Connectors) Pass | 3 | o NA Critical | 
m oana is NE a nan — A wre 


New-age Challenges: Teams Speaking 
Different Languages 


0 JC 
Elastic, Kafka, custom Identify risk and Secure hosts, config/integrity/ 
web servers compliance vulnerability management 


Security & Compliance needs should be running with DevOps from the start 
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Start Compliant, Stay Compliant in 


DevOps with Qualys PC 


enkins 


Jenkins aws-golden-ami-pipeline 


Pipeline aws-golden-ami-pipeline 


„+ Recent Changes 


Stage View > 


Launch a 
CentOS Launch VM 
instance with APO 
the Source Soon on 
instance 
AMI 
73ms 10min 44s 


po! - 11min 21s 
15:57 
failed 
— 
cs 
Nov 01 © 


10min 6s 


failed] 
Ao] 


QUALYS POLICY COMPLIENCE RESULTS 


Show| 10 % entries 


CID Title Technology Criticality 
14602 Status of the 'nosuid' option for '/tmp' partition using 'mount' command CentOS 7 4 
10804 Status of the SELinux current mode (running configuration) CentOS 7 4 
10643 Status of iptables package CentOS 7 4 
12815 List of runtime audit rules for '/etc/passwd' file, using auditctl CentOS 7 4 
10664 Status of the 'OPTIONS' setting within /etc/sysconfig/chronyd' file CentOS 7 4 
9473 Existence of the 'extraneous' files and directories (Sensitive files/Directori Tomcat 8 3 

es) 
9477 Status of 'X-Powered-By' setting within 'server.xml' file Tomcat 8 4 
9551 Status of the 'secure' attribute for each 'Connector' elements whose 'SSL Tomcat 8 4 
Enabled' are set to ‘true’ 

9605 Status of the command-line flag 'STRICT_SERVLET_COMPLIANCE' set CentOS 7 4 
for the Tomcat process 

9565 Status of the 'web server processes' which are not started with 'Security CentOS 7 4 


Manager' 


Qualys FIM Monitors From CD Phase 
===) F 


Enebe PG Enable FIM 
and VM FIM: Create 
Module on 
Module on icid t and apply 
cloud agent cioud agen FIM: Apply OS application 
Embed Qualys for for Base Profile specific 
Cloud Agent profile 
59ms 60ms 60ms 60ms 60ms 


59ms 63ms 63ms 63ms 63ms 
failed failed failed failed failed 
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Discover and Assess Technologies with 
Dynamic Paths 


Apache Tomcat 8.x 


Qualys PC enables 
automatic discovery 

and assessment of 
middleware technologies 
from host scans 


There’s no need to 
create authentication 
records 


y 


~ 1. ApacheTomcatControls 


v 


(1.1) 9505 Status of the 'permissions' within 'SCATALINA_HOME/webapps' directory 
> 1. Apache TC 8::/opt/apache-tomcat-8.0.18/apache-tomcat-8.0.18 
> 2. Apache TC 8::Jopt/apache-tomcat-.5.20 
3. Apache TC 8::/opt/apache-tomcat-8.5.20/apache-tomcat 


> 4. Apache TC 8::/opt/apache-tomcat-8.5.20/apache-tomcat1 


(1.2) 9602 Status of the 'manager application (webapps/manager)' setting 
> 1. Apache TC 8::/opt/apache-tomcat-8.5.20/apache-tomcat1 
> 2. Apache TC 8::/optapache-tomcat-8.0.18/apache-tomcat-8.0.18 
> 3. Apache TC 8::/optapache-tomcat-8.5.20/apache-tomcat 


> 4. Apache TC 8::/opt/apache-tomcat-8.5.20 


(1.3) 9603 Status of the 'manager application (manager.xml)' setting 
(1.4) 9606 Status of the command-line flag 'RECYCLE FACADES' set for the Tomcat process 
(1.5) 9610 Status of the 'connection Timeout value within 'Connector' element in 'server.xm!' fil 


(1.6) 9611 Status of the 'maxHttpHeaderSize' value within 'Connector' element in 'server.xm!' fil 


Status: PASS 
Status: 
Status: 


Status: 


CISO Responsibility: Ensure Security Controls are in Place 
and Fu nctioning https://www.bitsight.com/blog/ciso-roles-and-responsibilities 


Is Anti-virus active, updated for signatures, scanning? 


Is FIM, EDR agent configured correctly to monitor? 


Are OS native application protection, memory protection 
configured? 


Need to have Security Control Validation (SCV) in place test and 
confirm that security tools configured properly on all endpoints 
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Security Control Validation from Polic 
Compliance 


Anti-virus technologies | Qualys FIM Agent | Splunk | Kafka | Native Malware 


Protection 


Reports 


51 


Total Control Instances 


CATEGORY 


Anti-Virus/Malwa... 


CRITICALITY 
MEDIUM 
SERIOUS 
CRITICAL 
URGENT 


POSTURE 
PASS 
ERROR 
FAIL 


51 


18 
26 


41 


"Nov 13, 2019 


Y. 


Nov 13,2019 


v 


Nov 13, 2019 


y 


Nov 13,2019 


4 


Nov 13,2019 


12364 


12364 


13738 


13738 


Status of the 'CommunicationStatus' (Last time st 


Status of the 'CommunicationStatus' (Last time st 


Status of the Symantec ‘last Virus scan time’ oldeı 


Status of the Symantec 'last Virus scan time' oldeı 


Qualys Policy for Security Control Validation on Windows Platform 


v 


Nov 13, 2019 


13738 


Status of the Symantec ‘last Virus scan time’ oldeı 


os 


Windows 10 
os 


Windows Server 2012 R2 
os 


Windows 2008 Server 
os 


Windows 10 
os 


Windows 10 
os 


1-50 of 51 


comgaw10es 
10.10.36.126 | COMOAV 


i-6f91d2a8 
10.11.114.112 | -6F910 


com-2k8-32-87 
10.10.32.87 | COM-2K8- 


comdevw10es 
10.10.36.125 | COMDEV 


comgaw10es 
10.10.36.126 | COMOAV 


Nov 13,2019 


Nov 13,2019 


Nov 13,2019 


Nov 13,2019 


Nov 13,2019 


Start Gold, Continuously Assess, 
Remediate 
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Policy Compliance DASHBOARD POLICIES SCANS REPORTS EXCEPTIONS ASSETS USERS 


Reports Reports Schedules A Cia Control View OU EICH ils) 


Policy.name like ‘%RDP%’ and asset.tagName='USproduction' and control.status='failed* Last 24 Hrs v 


72 Display: | Unified | Control | Asset | 


Total Controls 


CONTROL COMPLIANCE Policy.name like '% RDP%' TRENDING 
en 100% 1 
5 
© Failing 06 0 
Jan 01 TODAY 
LABELS E 
Qualys 72 
Actions Y | Group by.. v | 1-50 of 75 
TAGS = f 
| USproduction ye CONTROL NAME TECHNOLOGY ASSET NAME POLICY EVALUATION 
Create Alert y 
i ; Status of the Terminal Services’ service Windows XAVIERHQ39WIN Jun 02, 2018 
Add Exception 2008 Server 10.10.31.30 
Failed 1430 Status of the Terminal Services' service Windows 7 SFOO3HQLP79 Mar 21, 2018 
Mar 21, 2018 10.10.35.242 
Failed 1040 Status of the 'Set time limit for active Remote Desktop Windows 10 SFO04HQLP713 May 03, 2018 
Jun 02, 2017 Services sessions' setting 10.10.35.241 


Failed 2200 Current list of Groups and User Accounts granted the Windows DCO3SJC1SQLDB Oct 22, 2018 


Alert and Incident Management for 


Authorized vs Unauthorized Changes 
During Patching 


® Qualys. Enterprise 


File Integrity Monitoring 


3 


Total Activities 


RULE NAME 

Unauthorized Wi... 2 
Authorized Wind 1 
ACTION NAME 

Windows Patch ... 3 
EMAIL RECIPIENTS 


ljhamb@qualys.c... 


akaur@qualys.co... 


A a eae a 


Activity 


DASHBOARD 


Rule Manager Actions 


EVENTS 


RULES 


INCIDENTS 


REPORTS 


ASSETS 


CONFIGURATION 
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ctivity" 


ruleName: "Unauthorized Windows Patching Activity” or ruleName:"Authorized Windows Patching A 


Last30Days v 


14 Oct 16 Oct 18 Oct 20 Oct 


Authorized Windows Patching Acti... 


Authorized Windows Patching Activity 


Unauthorized Windows Patching A... 


Unauthorized Windows Patching Activity 


Unauthorized Windows Patching A... 


This Rule lists down all the events which 


22 Oct 24 Oct 26 Oct 28 Oct 30 Oct 
Success Yes 
29 minutes ago 
Success Yes 
29 minutes ago 
Success Yes 


2 hours aao 


1 Nov 3 Nov 5 Nov 


Windows Patch Activity... 


Windows Patch Activity... 


Windows Patch Activity... 


1 


1 


1 


7 Nov 9 Nov 11 Nov 


13 Nov 15 Nov 


1-3 0f 3 


Aparna Hinge 


Aparna Hinge 


Aparna Hinge 


FIM gives context of changes in 
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prise 
( | O U d < Asset Details : i-076e2369b896dfe3e 


Y INVENTORY 


Asset Summary 


File Integrity Monitoring 


System Information 


Network information Cloud Agent FIM Events E 


Open Ports 


Traffic Summary 


Cloud Information UNAUTHORIZED EVENTS ON S3 BUCKET FROM INSTANCE (INSTANCE ID) 
Y SECURITY 
Vulnerabilities Total Events 
Threat Protection 5.0K 
Patch Management 
B Authorized 4584 
Indication of Compromise 
E Unauthorized 498 
Certificates 
Secure Access Control 
SOAR 
Y COMPLIANCE 
Policy Compliance 
File Integrity Monitoring TIME TARGET ACTION ACTOR EVENT STATUS SEVERITY 
an hour ago bucketauditreports/ PutBucketPolicy InstanceProfile/i-07f6. Acces A mana 
Y SENSORS a QA o 
Agent Summary an hour ago bucketauditreports/t... GetObject InstanceProfile/i-07f6.. Acces A Ban 
2 8PM 63 s-west-1 assumed-role 
Connector Summary 
Passive Sensor an hour ago bucketauditreports/ec2... DeleteObject InstanceProfile/i-07f6. Unauthor A HEEB 
Alert Notifications Der ve ; eh 
an hour ago bucketauditreports/RDS... DeleteObject InstanceProfile/i-07f6. Unauthor À ana 
Ena 


an hour ago bucketauditreports/tom... DeleteObject InstanceProfile/i-07f6 Unauthor A 


Network Devices Can't be Scanned 
or Hosts too Sensitive but in 
Security & Compliance Scope 


Use OCA APIs . 
- Create custom assets A— ÁA 11 my 


- Push command output, - 


154.36.214.3 (hp-in01-prn02, HP-INO1-PRNO2) 


vulnerability, config data Be - E 


Tracking Method OCA Controls 12 
Last Scan Date 09/05/2019 at 11:12:12 (GMT+0530) Passed 12 (100%) 
Qualys Host ID: c9192ca4-ffbf-454c-82fa-8c31003521fa Failed 0 
Asset Tags: OCA Error 0 
Approved Exceptions 0 
0 


Controls validate settings = 


Y HP FutureSmart 4.x 


v 1. System Configuration PASS 12 2 


» (1.1) 1118 Status of the 'File Transfer Protocol (FTP) service Status: 


Report vulnerabilities, security er m =. 
a n d m | SCO nfigu rati O n S » (1.3) 10270 Status of the SNMP community strings Status: 


» (1.4) 12413 Status of the 'AppleTalk' protocol Status 
» (1.5) 13857 Status of version of firmware stored in boot PROM Status: 


» (1.6) 14039 Status of SNMP configuration of version SNMPv1 Status: 


Your security is only as strong as 
your weakest vendor 
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Security Assessment Ouestionnaire DASHBOARD CAMPAIGNS REPORTS TEMPLATES USERS Qualys_demo 


Qualys Security Assessment 
Questionnaire (SAQ) helps == 

in managing vendor risk per „= ü 
criticality 


HIGH RISK VENDORS ACTIVE VENDOR CAMPAIGNS 


6 21 


MY ACTIVE CAMPAIGNS VENDOR CAMPAIGN STATUS 
Total 
Employee Half Yearly EEE 93°; Nov 2, 2018 Nov 20, 2018 53 view 
Finance Vendors Quarterly Check =a, 64% Oct 29, 2018 Nov 23, 2018 B Active 21 
Inactive 8 
APAC Office Vendors === 47% Nov 12, 2018 Nov 30, 2018 
E Complete 18 
Contractors Quarterly Check = 24% Aug 20, 2018 Oct 30, 2018 BB canceled 6 
IT Assets Management == 18% Oct 12, 2018 Dec 20, 2018 
OVERALL CAMPAIGN AGING VENDOR RISK ANALYSIS TOP 5 VENDORS BY RISK 
Total 


28 vow Zurich Softwares (TEE 
E Very High k Global Infotech 
Overdue 13 ~ nr Ñ obalinfotech Ms OTO 


Open APIs: Integrate with Any 
External SIEM, DWH 


FIM DASHBOARD Eda || Export v 


Select vme range (Default 30 Days) 


alltime - EN ee 


TOTAL CHANGES EVENTS BY SEVERITY 
10,000 
4 5 
EE Severity 1 Severity 2 MM Severity 3 Mil Severity + MW 
2 dol 
FILE CHANGES BY CHANGE ACTION DIRECTORY CHANGES BY CHANGE ACTION 
0,000 0.000 
T 
000 1.000 
100 100 
1 
=== 
Directory 
IE Attributes urity ME Attributes MM Create 
TOP CHANGES BY USER TOP CHANGES BY PROCESS 
Tr 
NT AUTHORITY SYSTEM Agentexe 
CHANGES BY OS PLATFORM CHANGES BY TYPE CHANGES BY CATEGORY CHANGES BY PROFILE © Qualys. 
HIPAA no 


Policy Compliance | 


(PC) 


Policy Compliance 
Advantages 


Best in class technology and content coverage 
For Configuration Management 


>400 Policies, >10,000 controls 
>150 technologies (traditional, emerging) 
> Widest coverage for CIS, STIG, Mandates and beyond 


Data collection from all Qualys sensors 
Custom database security & integrity controls 
Auto-discovery of middleware technologies 


Auto-remediation for configuration failures 
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New PC Ul and 
Customizable 


Dee OLLO 


PC Roadmap 


Q4 - 2018 


Faster PC agent data processing 
File Content search for Windows 
(Search sensitive content) 
Auto-discovery for database techs 


T 


Q4 - 2018 


New, customizable PC dashboard : 


2020 Q1 


New PC UI 
Dynamic, real-time compliance against policies, mandates 
Integration of PC/config data with Asset Inventory 
Gold policies to fix configuration Issue ‘upfront’ 
Ticketing integration with JIRA, ServiceNOW 


2020 Q2 
Configuration assessment for RDS 
Automated alerting for compliance, config failures 
Support for executing scripts/commands for custom apps 
PC agent support for web server technologies 
Compliance trending 
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File Integrity 


Monitoring (FIM) 


Qualys FIM: In First Year 


Built on the same Qualys Cloud 
Agent 


Real-time detection for high 
volume, high scale 


Nothing to install, easy to 
configure, quick win 


Automated incident management 
and alerting 


Out of the box PCI monitoring 
profiles for OS and applications 


No infrastructure, data load for 
you to manage 


DESKTOP.KVCEKSU 


Agent Modules Tags 


o as cm 


Cloud / 
( OPerat 
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FIM Roadmap 


Q4 - 2019 


Process, user and time-period 
inclusions and exclusions for event 
data collection 


T 


Q4 - 2019 


FIM hosts health and status: % of hosts 
with latest data, stale hosts with no 
changes, hosts without a FIM monitoring 
profile 


2020 01 


Windows Registry monitoring for changes 
External integration with JIRA, ServiceNOW 
FIM for cloud storage (S3 bucket content monitoring) - cloud-trail 
integration 
Template-based reporting 


T 


2020 Q2 


Monitoring for file content changes/text changes 
Graph-based topology view of file change alerts and 
incidents with actor, process 
Monitoring profiles — import/exports 
Integration with Qualys Patch Management for 
managing changes due to patching 
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